[Freeipa-users] How does one authenticate Windows login against IPA
Coy Hile
coy.hile at coyhile.com
Thu May 19 11:12:14 UTC 2016
Right, you have some process that creates the shadow accounts with a random, unknown, unused pass. This assumes you have some workflow for provisioning rather than doing ad hoc ipa user add as a human.
Sent from my iPad
> On May 18, 2016, at 23:20, John Meyers <john+freeipa at themeyers.us> wrote:
>
> Even if you get that to work, you are still stuck with same issue
> discussed earlier in this thread -- you need to have a Windows account,
> either local or AD, to be able to login and grant rights against. pGina
> just handles the authentication part. The only way to do either a 1-way
> Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to
> AD (or Samba AD) to create the "shadow account"? Winsync will not do this.
>
>
>
>> On 5/18/16 7:49 PM, Michael ORourke wrote:
>> What about using the pGina project on the Windows side?
>>
>> Reference:
>> http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/
>>
>> -Mike
>>
>> -----Original Message-----
>>> From: John Meyers <john+freeipa at themeyers.us>
>>> Sent: May 18, 2016 5:19 PM
>>> To: freeipa-users at redhat.com
>>> Subject: [Freeipa-users] How does one authenticate Windows login against IPA
>>>
>>> All,
>>>
>>> FreeIPA as we've discovered has some wonderful Windows integration
>>> capability, but it is all predicated on Windows AD being the
>>> authoritative source of user information. 2-Way trusts are great, but
>>> they only work for kerberotized applications, not native Windows rights
>>> (that would require FreeIPA to act as global catalog as I learned from
>>> Alexander). The winsync capability does not, as it turns out, sync
>>> native IPA users to AD.
>>>
>>> The million dollar question is if you are 90% Linux shop and FreeIPA is
>>> your authoritative user repository (AD is a blank slate), how do you
>>> perform local Windows login authentication for the 10% of Windows
>>> machines against FreeIPA?
>>>
>>> Thank you all!
>>>
>>> John
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list